You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Previously tried deleting entries similar to line O17(85.255.116.114 85.255.112.91) but after restart/connecting to Internet similar entries reappears in the log.Please help me to get rid of this problem.

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

I see Spyblocker toolbar is installed and this is not highly recommended. See here to find out why.

I recommend you to uninstall ZoneAlarm Spyblocker toolbar:

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon.
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Locate the file mbam.exe and rename it to clear.exe then double-click to run it.

Wait until it opens up.

Update it. When you get the message that it is updated successfully check under Update tab the Database version should read 2256 or above.

Select "Perform Quick Scan", then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy&Paste the MBAM log after running it and removing what it finds, or removing files after reboot.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Hi,Performed the following steps as adviced:1. Unistalled ZoneAlarm spyblocker.2. installed malwarebyte.3. updation failed.4. Performed Quick scan. The attached log() can be seen.5. removed the single finding and restarted the machine as adviced by malware.6. Please find attached the HijackIT log(hijackthis.log).7. connected to broadband and took another hijack it log which can be seen below:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:17:35 AM, on 6/11/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: Normal

Hi,
Thank you very much for the response.
1. For "updation failed": I was connected to internet while I tried to update. Don't know why but a error window appeared with something like "u need to be connected to the net or ur firewall should allow antimalware to pass through. Error code 732". But bit defender never asked me whether i should allow or block.
2. fOR "cONECTED TO BROADBAND " i meant After malwarebyte removed the entry and I have done a restart , without connecting to internet I took a hijackthis log and another after connecting to the internet. This is all after malwarebyte said it has removed the entry.
I took two log because I observed before, that everytime after this registry entry is deleted and I restart at first those nameservers won't be there but as soon as I connect to the internet those nameserver reapears in the registry.
3. Please find below the log.txt as adviced:

Right click on your default connection (usually Local Area Connection) and select Properties.

Select the General tab.

Double click on Internet Protocol (TCP/IP).
Under General tab:

Select "Obtain an IP address automatically".

Select "Obtain DNS server address automatically".

Click OK twice to save the settings.

Reboot if you had to change any setting.

Try to update MBAM, if you still couldn't tell me about it.
If you couldn't update, update MBAM manually. To do that download mbam-rules.exe.
Double-click mbam-rules.exe to run it.
Then run MBAM, let remove what it finds, reboot if needed and post the log.

Please copy and paste a fresh Hijackthis log to your reply while you are connected to the broadband.

Hi,1. The network connection options were as usual and as suggested by you.2. Updation of mbm failed again.3. Downloaded mbam.exe and executed it but not sure whether it really updated anything database version is still 2202.Please find the log for mbam below:Malwarebytes' Anti-Malware 1.37Database version: 2202Windows 5.1.2600 Service Pack 2

The question was when you go to start => Control Panel => Network Connections.Then you double-click Network Connections to open it. What do you see inside it? Is Local Area Connection is the only icon inside it?

There were altogether 5 icons:
Broadband:
1. Broadband Connection :status: Connected,firewaled. checked the tcp/ip configuration for this. And it was suspicious , the "use the following DNS server addresses were checked" and those two ip addresses were given '85.255.116.114 85.255.112.91'. this is also the connection which I use to connect to the internet.
2.Broadband:status - disconnected. I don't use this.
Dialup:
3.Biplab:Status - disconected. I don't use this.
4.LanRoad on Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC - disconected. I don't use this.
Lan:
5.Local Area Connection :Status - connected.TCP/IP properties were as expected.

1. Broadband Connection :status: Connected,firewaled. checked the tcp/ip configuration for this. And it was suspicious , the "use the following DNS server addresses were checked" and those two ip addresses were given '85.255.116.114 85.255.112.91'. this is also the connection which I use to connect to the internet.

Well done. This is not just suspicious, this is a DNS-Hijacker server in Ukraine. This is what I saw on the log before before and when I asked to reset your default connection I meant this connection. Local Area Connection is not your default connection. Therefore apply the setting I suggested in post 6 for this connection. After that reboot and see if MBAM updates. Also do the following to make sure the setting is what suppose to be:

Go to start > Run copy/paste the following line in the run box and click OK.

thanks Farbar,
I checked the 'Obtain DNS server address automatically' in the Network connection and restarted the PC.
MBAM updates perfectly and the database version changed to 2271.
Also Please find the ipconfig log below:

All the sites which used to say that 'link is broken' previously also has started to work.MBAM scan also said it to be clean. Thank you very much.
And one thing more while scanning through this and other sites related to spyware & malware I also got quite interested in this domain of diagnosing and removing malwares and do want to know more. Any advice from you regarding it will also be helpful for me.

Let me know of any other things that I might need to do.
Thanks & Regard,
Biplab

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

FixCSet::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Your Java is out of date.Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

Read the License Agreement, and then check the box that says: "Accept License Agreement".

Click Continue and the page will refresh.

Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.

Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.

Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.

Repeat as many times as necessary to remove each Java versions.

Reboot your computer once all Java components are removed.

Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.

-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Also tell me how is your computer running and if you have any question before we uninstall ComboFix and round off. I'll give you some recommendations.